CyberWire Daily: Will Plankey Lead CISA to Victory? Hosted by N2K Networks
Release Date: March 12, 2025

Introduction

In the March 12, 2025 episode of CyberWire Daily, host Dave Bittner delves into the pressing cybersecurity issues facing the nation, the latest software vulnerabilities, and a deep conversation with industry expert Rocco D'Amico from Brass Valley. The episode titled "Will Plankey Lead CISA to Victory?" explores the potential impact of Sean Planke’s nomination to head the Cybersecurity and Infrastructure Security Agency (CISA), recent security patches from major tech companies, sophisticated cyber-attack techniques, and the ongoing paradox in the tech industry's hiring landscape.

CISA's Leadership Nomination

Sean Planke, a former cybersecurity official in the Trump administration and a U.S. Coast Guard veteran, has been nominated by the White House to lead CISA. His nomination is currently under Senate review. Planke brings a wealth of experience from his roles at the Department of Energy and the National Security Council, where he earned a Bronze Star for his work in offensive cyber operations in Afghanistan. Until recently, he spearheaded cybersecurity efforts at Indigo Vault.

Key Points:

• Expertise and Focus: Planke is praised for his focus on risk reduction and national security, advocating for stricter cloud security regulations and reducing dependence on adversarial nations for critical infrastructure.
• Criticism and Support: While some lawmakers question CISA’s mission scope, supporters highlight Planke’s extensive expertise and strategic vision for strengthening national cybersecurity defenses.

Notable Quote:

"Planke's expertise is exactly what CISA needs right now to navigate the complex cybersecurity landscape and enhance our national security posture."
— Dave Bittner [02:45]

Impact of Funding Cuts on Cybersecurity Initiatives

The nomination comes at a time when CISA is under scrutiny due to budget cuts affecting various security initiatives. Notably, the Election Infrastructure Information Sharing and Analysis Center (EI ISAC) has been shut down following a reduction in funding from the Department of Homeland Security (DHS). Experts express concern that these cuts could weaken the cybersecurity framework for elections and local governments, making them more vulnerable to cyber threats.

Key Points:

• Workforce Reductions: A former CISA penetration tester, Christopher Chenoweth, revealed that his 100-person team was disbanded after Elon Musk’s DOGE unit canceled their contract, highlighting the broader impact of budget cuts on cybersecurity teams.
• Consequences: The shutdown of key security initiatives like EI ISAC and Ms. ISAC jeopardizes the protection of electoral processes and municipal systems from cyber-attacks.

Notable Quote:

"These cuts weaken cybersecurity for elections and local governments, leaving them more exposed to potential threats."
— Dave Bittner [03:15]

Microsoft’s March 2025 Patch Tuesday

Microsoft released its March 2025 Patch Tuesday update, addressing 57 vulnerabilities, including six actively exploited ones. Critical patches focus on privilege escalation, remote code execution (RCE), security bypass, and information disclosure flaws.

Key Vulnerabilities:

• Windows Win32 Kernel: A zero-day vulnerability allows local attackers to gain system privileges through a race condition.
• NTFS Vulnerabilities: Two flaws enable attackers to extract sensitive data using malicious USB drives.
• Microsoft Access RCE Flaw: A publicly disclosed zero-day exploiting Microsoft Access, alongside critical RCE vulnerabilities impacting Windows Remote Desktop Services, Microsoft Office DNS, and the Windows Subsystem for Linux.

Recommendations:

• Immediate Patching: Security experts urge organizations to apply these updates without delay to mitigate exploitation risks.
• Enhanced Security Measures: Adoption of zero trust architectures is recommended to bolster defenses against future threats.

Notable Quote:

"Immediate patching is essential, especially for Office vulnerabilities, to prevent exploitation and secure your systems effectively."
— Dave Bittner [06:30]

Apple’s Emergency Security Update for WebKit Vulnerability

Apple issued an emergency security update addressing a critical WebKit zero-day vulnerability actively exploited in targeted attacks. This flaw allows malicious web content to escape the Web content sandbox, potentially enabling unauthorized actions across various Apple platforms.

Affected Systems:

• iOS, iPadOS, macOS, Safari, VisionOS, and tvOS.

Details:

• The vulnerability, an out-of-bounds read issue, has been utilized in sophisticated attacks, particularly targeting older iOS versions.
• This marks Apple’s third zero-day fix in 2025, following similar patches in January and February.

Recommendations:

• Immediate Update: Users are strongly advised to apply the latest security updates to protect against potential threats.
• Vigilance: Apple has not disclosed specific attacker details or targets, emphasizing the need for prompt action by all users.

Notable Quote:

"Users should update immediately to mitigate risks, as these vulnerabilities can be exploited without leaving significant forensic evidence."
— Dave Bittner [09:20]

Advanced MFA Bypassing Techniques

Researchers at Quark's Lab have uncovered sophisticated methods used by attackers to bypass Multi-Factor Authentication (MFA). These techniques exploit timing vulnerabilities and manipulate session tokens, effectively tricking systems into believing MFA was successfully completed.

Attack Methods:

• Timing Vulnerabilities: Exploiting delays in authentication workflows to intercept and modify authentication responses.
• Session Token Manipulation: Injecting JavaScript code to alter session flags before MFA verification is finalized, resulting in unauthorized access with minimal forensic traces.

Impact:

• Undetected Breaches: These attacks are challenging to detect, often appearing as legitimate authentication events.
• Vulnerability Scope: Systems that separate authentication and resource servers are particularly susceptible during network latency or error conditions.

Recommendations:

• Continuous MFA Validation: Implementing ongoing verification processes to prevent unauthorized modifications.
• Cryptographically Signed Tokens: Utilizing signed session tokens to ensure integrity and prevent tampering.
• Monitoring Accounts: Vigilant monitoring for suspicious activities, even with MFA enabled.

Notable Quote:

"These MFA bypassing techniques leave minimal forensic evidence, making unauthorized access nearly undetectable."
— Dave Bittner [10:15]

North Korea’s Lazarus Group Targets Cryptocurrency and Data

The Lazarus Group, a notorious North Korean hacking collective, has been linked to the distribution of six malicious NPM packages aimed at stealing credentials, deploying backdoors, and extracting cryptocurrency data. These typo-squatting packages, downloaded over 330 times, represent a continued effort to infiltrate software development environments.

Attack Characteristics:

• Malware Payloads: The packages deploy backdoors such as Beavertail and Invisible Ferret, targeting cryptocurrency wallets and browser-stored data.
• Supply Chain Exploits: These attacks are part of ongoing supply chain operations observed on platforms like NPM, GitHub, and PyPi.

Developer Guidance:

• Scrutiny of Dependencies: Developers are urged to thoroughly inspect their code dependencies for suspicious activities to prevent infection.

Notable Quote:

"Developers must be vigilant in monitoring their dependencies to prevent these sophisticated supply chain attacks from compromising their systems."
— Dave Bittner [11:45]

Interview with Rocco D'Amico: Hidden Risks in Retired Devices

In an insightful conversation with Rocco D'Amico from Brass Valley, the discussion centers on the often-overlooked risks associated with retired electronic devices and the broader skills gap in the cybersecurity industry.

Hidden Risks in Retired Devices

Key Insights:

• Incomplete Data Destruction: Many individuals and businesses believe that simple data wiping methods, like an F disk, effectively erase data. However, this often leaves residual data accessible.
• Hidden Media in Data Centers: As organizations transition to cloud computing, hidden media such as buffer memory in server arrays can retain sensitive data even after primary storage devices are wiped.
• Chain of Custody: Maintaining a complete chain of custody from data inventory to the destruction process is crucial for ensuring data is irretrievably destroyed.

Notable Quote:

"Arrays designed for speed and self-healing contain buffer memory that often goes unnoticed, holding onto all the data that passes through the hard drives."
— Rocco D'Amico [16:14]

Best Practices for Data Disposal

Recommendations:

• Comprehensive Inventory: Maintain a detailed inventory of all electronic assets to ensure complete data destruction.
• Reconciliation with ITAD Providers: Verify destruction processes with Independent IT Asset Disposition (ITAD) providers to ensure thorough data eradication.
• High Reliability Practices: Adopt practices from high-reliability industries (like nuclear and aviation) to minimize human error and ensure meticulous data handling.

Notable Quote:

"Achieving a complete cradle-to-grave chain of custody is essential for data security, protecting against potential breaches from mishandled retired devices."
— Sean Planke [16:57]

Addressing the Skills Gap Paradox

Discussion Points:

• Hiring Challenges: The tech industry faces a paradox where there's a shortage of skilled cybersecurity professionals, yet recent graduates struggle to find relevant positions.
• Employer Expectations: Companies often seek "job-ready" candidates without offering adequate training, relying instead on underpaid internships and demanding senior-level experience for entry roles.
• Impact of Post-COVID Layoffs: The influx of experienced workers from post-COVID layoffs has saturated the job market, making it harder for fresh graduates to secure roles.

Notable Quote:

"The skills gap in cybersecurity persists because employers want experienced professionals but are reluctant to invest in training new talent."
— Rocco D'Amico [24:13]

Tech Industry's Hiring Paradox

The episode concludes by highlighting the paradox within the tech industry's hiring practices. Despite a high demand for roles in software development, cloud computing, AI, and cybersecurity, employers struggle to find qualified candidates. This issue is exacerbated by automated hiring systems that favor keyword-stuffed resumes and the reluctance to offer competitive salaries or training opportunities.

Key Statistics:

• 31% of cybersecurity teams employ no entry-level professionals.
• Graduate Disadvantages: Fresh graduates face significant barriers due to post-COVID layoffs and a saturated job market.

Future Outlook:

• While the current hiring freeze poses challenges for new entrants, data suggests that this may be temporary. However, without systemic changes, the skills gap is likely to persist, hindering the industry's ability to respond to evolving cyber threats.

Notable Quote:

"For employers, the skills gap seems to be here to stay, making it imperative to rethink hiring and training strategies to bridge this divide."
— Dave Bittner [24:37]

Conclusion

The March 12, 2025 episode of CyberWire Daily offers a comprehensive look into the current state of cybersecurity, leadership changes within CISA, critical software vulnerabilities, and the industry's ongoing challenges in hiring skilled professionals. Through expert interviews and detailed analysis, the podcast provides valuable insights for cybersecurity professionals, policymakers, and anyone interested in the evolving landscape of digital security.

Key Takeaways:

• Leadership Impact: Sean Planke’s potential leadership at CISA could play a pivotal role in strengthening national cybersecurity defenses.
• Vulnerability Management: Immediate patching and advanced security measures are essential to protect against emerging threats.
• Data Disposal Practices: Comprehensive data destruction and reliable chain of custody are critical in preventing data breaches from retired devices.
• Hiring Solutions: Addressing the skills gap requires innovative hiring practices, investment in training, and cultural shifts within organizations.

For more detailed discussions and insights, listeners are encouraged to access the full episode and stay updated with the latest cybersecurity news and analyses.

For additional resources and further information, visit our daily briefing or subscribe to CyberWire Daily through your preferred podcast platform.